Large-scale analysis of format string vulnerabilities in Debian Linux

Chen, Karl; Wagner, David

doi:10.1145/1255329.1255344

Cited by 29 publications

(19 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The attacker is now able to control what the function pops from the stack and can make the program write to arbitrary memory locations. Chen and Wagner [2007] suggest that format string vulnerabilities are more common than previously thought, although not as prevalent as buffer overflows: they found 1533 possibly format string vulnerabilities (of which they assume 85% are real vulnerabilities) on 92 million lines of code that they analyzed on a Debian Linux system. 2.4.2 Exploitation.…”

Section: Format String Vulnerabilitiesmentioning

confidence: 93%

Runtime countermeasures for code injection attacks against C and C++ programs

2012

View full text Add to dashboard Cite

The lack of memory-safety in C/C++ often leads to vulnerabilities. Code injection attacks exploit these to gain control over the execution-flow of applications. These attacks have played a key role in many major security incidents. Consequently, a huge body of research on countermeasures exists. We provide a comprehensive and structured survey of vulnerabilities and countermeasures that operate at runtime. These countermeasures make different trade-offs in terms of performance, effectivity, compatibility, etc. This makes it hard to evaluate and compare countermeasures in a given context. We define a classification and evaluation framework, on the basis of which countermeasures can be assessed.

show abstract

Section: Format String Vulnerabilitiesmentioning

confidence: 93%

Runtime countermeasures for code injection attacks against C and C++ programs

2012

View full text Add to dashboard Cite

show abstract

“…Secure Coding Practices [27,37,50] Lexical Analysis [9,10,49,54] Data-Flow Analysis [17,30] Context Free Grammars [52,53] New APIs [13,36] Learning [15,32,48] Query Modification [4,7,46] Runtime Tainting [22,29,42,56] Data-Flow Analysis [51] Hybrid [24,25,35] Syntax Embeddings [5] Intrusion Set Randomization [3,28,31] The most straightforward and sensible approach is the adoption of secure coding practices [27,50,37], like the ones we mentioned above to prevent sql code injection. However, this does not always happen, as programmers may not be aware of them, or time schedules may be tight, encouraging sloppy practices instead.…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

“…Then, the resulting tokens are associated with vulnerable function calls susceptible to buffer overflows like gets, strcpy and scanf. This approach is taken by security utilities like its4, 4 Flawfinder 5 and rats 6 [54,10,9,49]. However, these tools suffer from several false positive and negative reports [11,14].…”

Section: Static Methods Dynamic Methodsmentioning

confidence: 99%

Countering code injection attacks: a unified approach

Mitropoulos

Karakoidas

Λουρίδας

et al. 2011

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Code injection exploits a software vulnerability through which a malicious user can make an application run unauthorized code. Server applications frequently employ dynamic and domain-specific languages, which are used as vectors for the attack. We propose a generic approach that prevents the class of injection attacks involving these vectors: our scheme detects attacks by using location-specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. We have applied our approach successfully to defend against attacks targeting sql, xpath and JavaScript.

show abstract

“…Explicit flow analysis tools [9,16,24] can be used to detect a variety of integrity violations, such as SQL injection vulnerabilities [16,9], format string vulnerabilities [6,21], missed access control checks [25], and user-kernel pointer bugs [13]. These tools can also be used to check confidentiality-oriented properties, to ensure that secret data is not inadvertently leaked.…”

Section: Program Analysis For Securitymentioning

confidence: 99%

“…For example, tools have been developed, in research and industry, to uncover SQL injection vulnerabilities [16,9], missed access control checks [25], user-kernel pointer bugs [13], and format string vulnerabilities [6,21]. At their core, these tools are quite similar in that they track the flow of security-relevant data through the program.…”

Section: Introductionmentioning

confidence: 99%

Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em

King

Hicks

et al. 2008

Information Systems Security

View full text Add to dashboard Cite

Abstract. Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program's flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide.To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

show abstract

Large-scale analysis of format string vulnerabilities in Debian Linux

Cited by 29 publications

References 26 publications

Runtime countermeasures for code injection attacks against C and C++ programs

Runtime countermeasures for code injection attacks against C and C++ programs

Countering code injection attacks: a unified approach

Implicit Flows: Can’t Live with ‘Em, Can’t Live without ‘Em

Contact Info

Product

Resources

About